Resolving DNS queries between VPCs and your network - Amazon Route 53
How DNS resolvers on your network forward DNS queries to Route 53 Resolver endpointsHow Route 53 Resolver endpoint forwards DNS queries from your VPCs to your networkConsiderations when creating inbound and outbound endpoints

Resolving DNS queries between VPCs and your network

The Resolver contains endpoints that you configure to answer DNS queries to and from your on-premises environment.

Note

Forwarding private DNS queries to any VPC CIDR + 2 address from your on-premises DNS servers is not supported, and can cause unstable results. Instead, we recommend that you use a Resolver inbound endpoint.

You also can integrate DNS resolution between Resolver and DNS resolvers on your network by configuring forwarding rules. Your network can include any network that is reachable from your VPC, such as the following:

  • The VPC itself

  • Another peered VPC

  • An on-premises network that is connected to AWS with AWS Direct Connect, a VPN, or a network address translation (NAT) gateway

Before you start to forward queries, you create Resolver inbound and/or outbound endpoints in the connected VPC. These endpoints provide a path for inbound or outbound queries:

Inbound endpoint: DNS resolvers on your network can forward DNS queries to Route 53 Resolver via this endpoint

This allows your DNS resolvers to easily resolve domain names for AWS resources such as EC2 instances or records in a Route 53 private hosted zone. For more information, see How DNS resolvers on your network forward DNS queries to Route 53 Resolver endpoints.

Outbound endpoint: Resolver conditionally forwards queries to resolvers on your network via this endpoint

To forward selected queries, you create Resolver rules that specify the domain names for the DNS queries that you want to forward (such as example.com), and the IP addresses of the DNS resolvers on your network that you want to forward the queries to. If a query matches multiple rules (example.com, acme.example.com), Resolver chooses the rule with the most specific match (acme.example.com) and forwards the query to the IP addresses that you specified in that rule. For more information, see How Route 53 Resolver endpoint forwards DNS queries from your VPCs to your network.

Like Amazon VPC, Resolver is regional. In each region where you have VPCs, you can choose whether to forward queries from your VPCs to your network (outbound queries), from your network to your VPCs (inbound queries), or both.

You can't create Resolver endpoints in a VPC that you don't own. Only the VPC owner can create VPC-level resources such as inbound endpoints.

Note

When you create a Resolver endpoint, you can't specify a VPC that has the instance tenancy attribute set to dedicated. For more information, see Using Resolver in VPCs that are configured for dedicated instance tenancy.

To use inbound or outbound forwarding, you create a Resolver endpoint in your VPC. As part of the definition of an endpoint, you specify the IP addresses that you want to forward inbound DNS queries to or the IP addresses that you want outbound queries to originate from. For each IP address that you specify, Resolver automatically creates a VPC elastic network interface.

The following diagram shows the path of a DNS query from a DNS resolver on your network to Route 53 Resolver endpoints.

Conceptual graphic that shows the path of a DNS query from a DNS resolver on your network to Route 53 Resolver endpoints.

The following diagram shows the path of a DNS query from an EC2 instance in one of your VPCs to a DNS resolver on your network.

Conceptual graphic that shows the path of a DNS query from your network to Route 53 Resolver.

For an overview of VPC network interfaces, see Elastic network interfaces in the Amazon VPC User Guide.

Topics

How DNS resolvers on your network forward DNS queries to Route 53 Resolver endpoints

When you want to forward DNS queries from your network to Route 53 Resolver endpoints in an AWS Region, you perform the following steps:

  1. You create a Route 53 Resolver inbound endpoint in a VPC and specify the IP addresses that the resolvers on your network forward DNS queries to.

    For each IP address that you specify for the inbound endpoint, Resolver creates a VPC elastic network interface in the VPC where you created the inbound endpoint.

  2. You configure resolvers on your network to forward DNS queries for the applicable domain names to the IP addresses that you specified in the inbound endpoint. For more information, see Considerations when creating inbound and outbound endpoints.

Here's how Resolver resolves DNS queries that originate on your network:

  1. A web browser or another application on your network submits a DNS query for a domain name that you forwarded to Resolver.

  2. A resolver on your network forwards the query to the IP addresses in your inbound endpoint.

  3. The inbound endpoint forwards the query to Resolver.

  4. Resolver gets the applicable value for the domain name in the DNS query, either internally or by performing a recursive lookup against public name servers.

  5. Resolver returns the value to the inbound endpoint.

  6. The inbound endpoint returns the value to the resolver on your network.

  7. The resolver on your network returns the value to the application.

  8. Using the value that was returned by Resolver, the application submits an HTTP request, for example, a request for an object in an Amazon S3 bucket.

Creating an inbound endpoint doesn't change the behavior of Resolver, it just provides a path from a location outside the AWS network to Resolver.

How Route 53 Resolver endpoint forwards DNS queries from your VPCs to your network

When you want to forward DNS queries from the EC2 instances in one or more VPCs in an AWS Region to your network, you perform the following steps.

  1. You create a Route 53 Resolver outbound endpoint in a VPC, and you specify several values:

    • The VPC that you want DNS queries to pass through on the way to the resolvers on your network.

    • The IP addresses in your VPC that you want Resolver to forward DNS queries from. To hosts on your network, these are the IP addresses that the DNS queries originate from.

    • A VPC security group

    For each IP address that you specify for the outbound endpoint, Resolver creates an Amazon VPC elastic network interface in the VPC that you specify. For more information, see Considerations when creating inbound and outbound endpoints.

  2. You create one or more rules, which specify the domain names of the DNS queries that you want Resolver to forward to resolvers on your network. You also specify the IP addresses of the resolvers. For more information, see Using rules to control which queries are forwarded to your network.

  3. You associate each rule with the VPCs for which you want to forward DNS queries to your network.

Using rules to control which queries are forwarded to your network

Rules control which DNS queries Route 53 Resolver endpoint forwards to DNS resolvers on your network and which queries Resolver answers itself.

You can categorize rules in a couple of ways. One way is by who creates the rules:

  • Autodefined rules – Resolver automatically creates autodefined rules and associates the rules with your VPCs. Most of these rules apply to the AWS-specific domain names that Resolver answers queries for. For more information, see Domain names that Resolver creates autodefined system rules for.

  • Custom rules – You create custom rules and associate the rules with VPCs. Currently, you can create only one type of custom rule, conditional forwarding rules, also known as forwarding rules. Forwarding rules cause Resolver to forward DNS queries from your VPCs to the IP addresses for DNS resolvers on your network.

    If you create a forwarding rule for the same domain as an autodefined rule, Resolver forwards queries for that domain name to DNS resolvers on your network based on the settings in the forwarding rule.

Another way to categorize rules is by what they do:

  • Conditional forwarding rules – You create conditional forwarding rules (also known as forwarding rules) when you want to forward DNS queries for specified domain names to DNS resolvers on your network.

  • System rules – System rules cause Resolver to selectively override the behavior that is defined in a forwarding rule. When you create a system rule, Resolver resolves DNS queries for specified subdomains that would otherwise be resolved by DNS resolvers on your network.

    By default, forwarding rules apply to a domain name and all its subdomains. If you want to forward queries for a domain to a resolver on your network but you don't want to forward queries for some subdomains, you create a system rule for the subdomains. For example, if you create a forwarding rule for example.com but you don't want to forward queries for acme.example.com, you create a system rule and specify acme.example.com for the domain name.

  • Recursive rule – Resolver automatically creates a recursive rule named Internet Resolver. This rule causes Route 53 Resolver to act as a recursive resolver for any domain names that you didn't create custom rules for and that Resolver didn't create autodefined rules for. For information about how to override this behavior, see "Forwarding All Queries to Your Network" later in this topic.

You can create custom rules that apply to specific domain names (yours or most AWS domain names), to public AWS domains names, or to all domain names.

Forwarding queries for specific domain names to your network

To forward queries for a specific domain name, such as example.com, to your network, you create a rule and specify that domain name. You also specify the IP addresses of the DNS resolvers on your network that you want to forward the queries to. You then associate each rule with the VPCs for which you want to forward DNS queries to your network. For example, you can create separate rules for example.com, example.org, and example.net. Then you can associate the rules with the VPCs in an AWS Region in any combination.

Forwarding queries for amazonaws.com to your network

The domain name amazonaws.com is the public domain name for AWS resources such as EC2 instances and S3 buckets. If you want to forward queries for amazonaws.com to your network, create a rule, specify amazonaws.com for the domain name, and specify Forward for the rule type.

Note

Resolver doesn't automatically forward DNS queries for some amazonaws.com subdomains even if you create a forwarding rule for amazonaws.com. For more information, see Domain names that Resolver creates autodefined system rules for. For information about how to override this behavior, see "Forwarding All Queries to Your Network," immediately following.

Forwarding all queries to your network

If you want to forward all queries to your network, you create a rule, specify "." (dot) for the domain name, and associate the rule with the VPCs for which you want to forward all DNS queries to your network. Resolver still doesn't forward all DNS queries to your network because using a DNS resolver outside of AWS would break some functionality. For example, some internal AWS domain names have internal IP address ranges that aren't accessible from outside of AWS. For a list of the domain names for which queries aren't forwarded to your network when you create a rule for ".", see Domain names that Resolver creates autodefined system rules for.

However, autodefined system rules for reverse DNS can be disabled, allowing the "." rule to forward all reverse DNS queries to your network. For more information on how to turn off the autodefined rules, see Forwarding rules for reverse DNS queries in Resolver.

If you want to try forwarding DNS queries for all domain names to your network, including the domain names that are excluded from forwarding by default, you can create a "." rule and do one of the following:

Important

If you forward all domain names to your network, including the domain names that Resolver excludes when you create a "." rule, some features might stop working.

How Resolver determines whether the domain name in a query matches any rules

Route 53 Resolver compares the domain name in the DNS query with the domain name in the rules that are associated with the VPC that the query originated from. Resolver considers the domain names to match in the following cases:

  • The domain names match exactly

  • The domain name in the query is a subdomain of the domain name in the rule

For example, if the domain name in the rule is acme.example.com, Resolver considers the following domain names in a DNS query to be a match:

  • acme.example.com

  • zenith.acme.example.com

The following domain names are not a match:

  • example.com

  • nadir.example.com

If the domain name in a query matches the domain name in more than one rule (such as example.com and www.example.com), Resolver routes outbound DNS queries using the rule that contains the most specific domain name (www.example.com).

How Resolver determines where to forward DNS queries

When an application that runs on an EC2 instance in a VPC submits a DNS query, Route 53 Resolver performs the following steps:

  1. Resolver checks for domain names in rules.

    If the domain name in a query matches the domain name in a rule, Resolver forwards the query to the IP address that you specified when you created the outbound endpoint. The outbound endpoint then forwards the query to the IP addresses of resolvers on your network, which you specified when you created the rule.

    For more information, see How Resolver determines whether the domain name in a query matches any rules.

  2. Resolver endpoint forwards DNS queries based on the settings in the "." rule.

    If the domain name in a query doesn't match the domain name in any other rules, Resolver forwards the query based on the settings in the autodefined "." (dot) rule. The dot rule applies to all domain names except some AWS internal domain names and record names in private hosted zones. This rule causes Resolver to forward DNS queries to public name servers if the domain names in queries don't match any names in your custom forwarding rules. If you want to forward all queries to the DNS resolvers on your network, you can create a custom forwarding rule, specify "." for the domain name, specify Forwarding for Type, and specify the IP addresses of those resolvers.

  3. Resolver returns the response to the application that submitted the query.

Using rules in multiple Regions

Route 53 Resolver is a regional service, so objects that you create in one AWS Region are available only in that Region. To use the same rule in more than one Region, you must create the rule in each Region.

The AWS account that created a rule can share the rule with other AWS accounts. For more information, see Sharing Resolver rules with other AWS accounts and using shared rules.

Domain names that Resolver creates autodefined system rules for

Resolver automatically creates autodefined system rules that define how queries for selected domains are resolved by default:

  • For private hosted zones and for Amazon EC2–specific domain names (such as compute.amazonaws.com and compute.internal), autodefined rules ensure that your private hosted zones and EC2 instances continue to resolve if you create conditional forwarding rules for less specific domain names such as "." (dot) or "com".

  • For publicly reserved domain names (such as localhost and 10.in-addr.arpa), DNS best practices recommend that queries are answered locally instead of being forwarded to public name servers. See RFC 6303, Locally Served DNS Zones.

Note

If you create a conditional forwarding rule for "." (dot) or "com", we recommend that you also create a system rule for amazonaws.com. (System rules cause Resolver to locally resolve DNS queries for specific domains and subdomains.) Creating this system rule improves performance, reduces the number of queries that are forwarded to your network, and reduces Resolver charges.

If you want to override an autodefined rule, you can create a conditional forwarding rule for the same domain name.

You can also disable some of the autodefined rules. For more information, see Forwarding rules for reverse DNS queries in Resolver.

Resolver creates the following autodefined rules.

Rules for private hosted zones

For each private hosted zone that you associate with a VPC, Resolver creates a rule and associates it with the VPC. If you associate the private hosted zone with multiple VPCs, Resolver associates the rule with the same VPCs.

The rule has a type of Forward.

Rules for various AWS internal domain names

All rules for the internal domain names in this section have a type of Forward. Resolver forwards DNS queries for these domain names to the authoritative name servers for the VPC.

Note

Resolver creates most of these rules when you set the enableDnsHostnames flag for a VPC to true. Resolver creates the rules even if you aren't using Resolver endpoints.

Resolver creates the following autodefined rules and associates them with a VPC when you set the enableDnsHostnames flag for the VPC to true:

  • Region-name.compute.internal, for example, eu-west-1.compute.internal. The us-east-1 Region doesn't use this domain name.

  • Region-name.compute.amazon-domain-name, for example, eu-west-1.compute.amazonaws.com or cn-north-1.compute.amazonaws.com.cn. The us-east-1 Region doesn't use this domain name.

  • ec2.internal. Only the us-east-1 Region uses this domain name.

  • compute-1.internal. Only the us-east-1 Region uses this domain name.

  • compute-1.amazonaws.com. Only the us-east-1 Region uses this domain name.

The following autodefined rules are for the reverse DNS lookup for the rules that Resolver creates when you set the enableDnsHostnames flag for the VPC to true.

  • 10.in-addr.arpa

  • 16.172.in-addr.arpa through 31.172.in-addr.arpa

  • 168.192.in-addr.arpa

  • 254.169.254.169.in-addr.arpa

  • Rules for each of the CIDR ranges for the VPC. For example, if a VPC that has a CIDR range of 10.0.0.0/23, Resolver creates the following rules:

    • 0.0.10.in-addr.arpa

    • 1.0.10.in-addr.arpa

The following autodefined rules, for localhost-related domains, also are created and associated with a VPC when you set the enableDnsHostnames flag for the VPC to true:

  • localhost

  • localdomain

  • 127.in-addr.arpa

  • 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa

  • 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa

Resolver creates the following autodefined rules and associates them with your VPC when you connect the VPC with another VPC through transit gateway or VPC peering, and with DNS support enabled:

  • The reverse DNS lookup for the peer VPC's IP address ranges, for example, 0.192.in-addr.arpa

    If you add an IPv4 CIDR block to a VPC, Resolver adds an autodefined rule for the new IP address range.

  • If the other VPC is in another Region, the following domain names:

    • Region-name.compute.internal. The us-east-1 Region doesn't use this domain name.

    • Region-name.compute.amazon-domain-name. The us-east-1 Region doesn't use this domain name.

    • ec2.internal. Only the us-east-1 Region uses this domain name.

    • compute-1.amazonaws.com. Only the us-east-1 Region uses this domain name.

A rule for all other domains

Resolver creates a "." (dot) rule that applies to all domain names that aren't specified earlier in this topic. The "." rule has a type of Recursive, which means that the rule causes Resolver to act as a recursive resolver.

Considerations when creating inbound and outbound endpoints

Before you create inbound and outbound Resolver endpoints in an AWS Region, consider the following issues.

Number of inbound and outbound endpoints in each Region

When you want to integrate DNS for the VPCs in an AWS Region with DNS for your network, you typically need one Resolver inbound endpoint (for DNS queries that you're forwarding to your VPCs) and one outbound endpoint (for queries that you're forwarding from your VPCs to your network). You can create multiple inbound endpoints and multiple outbound endpoints, but one inbound or outbound endpoint is sufficient to handle the DNS queries for each respective direction. Note the following:

  • For each Resolver endpoint, you specify two or more IP addresses in different Availability Zones. Each IP address in an endpoint can handle a large number of DNS queries per second. (For the current maximum number of queries per second per IP address in an endpoint, see Quotas on Route 53 Resolver.) If you need Resolver to handle more queries, you can add more IP addresses to your existing endpoint instead of adding another endpoint.

  • Resolver pricing is based on the number of IP addresses in your endpoints and on the number of DNS queries that the endpoint processes. Each endpoint includes a minimum of two IP addresses. For more information about Resolver pricing, see Amazon Route 53 Pricing.

  • Each rule specifies the outbound endpoint that DNS queries are forwarded from. If you create multiple outbound endpoints in an AWS Region and you want to associate some or all Resolver rules with every VPC, you need to create multiple copies of those rules.

Using the same VPC for inbound and outbound endpoints

You can create inbound and outbound endpoints in the same VPC or in different VPCs in the same Region.

For more information, see Best practices for Amazon Route 53.

Inbound endpoints and private hosted zones

If you want Resolver to resolve inbound DNS queries using records in a private hosted zone, associate the private hosted zone with the VPC that you created the inbound endpoint in. For information about associating private hosted zones with VPCs, see Working with private hosted zones.

VPC peering

You can use any VPC in an AWS Region for an inbound or an outbound endpoint regardless of whether the VPC that you choose is peered with other VPCs. For more information, see Amazon Virtual Private Cloud VPC peering.

IP addresses in shared subnets

When you create an inbound or outbound endpoint, you can specify an IP address in a shared subnet only if the current account created the VPC. If another account creates a VPC and shares a subnet in the VPC with your account, you can't specify an IP address in that subnet. For more information about shared subnets, see Working with shared VPCs in the Amazon VPC User Guide.

Connection between your network and the VPCs that you create endpoints in

You must have one of the following connections between your network and the VPCs that you create endpoints in:

When you share rules, you also share outbound endpoints

When you create a rule, you specify the outbound endpoint that you want Resolver to use to forward DNS queries to your network. If you share the rule with another AWS account, you also indirectly share the outbound endpoint that you specify in the rule. If you used more than one AWS account to create VPCs in an AWS Region, you can do the following:

  • Create one outbound endpoint in the Region.

  • Create rules using one AWS account.

  • Share the rules with all the AWS accounts that created VPCs in the Region.

This allows you to use one outbound endpoint in a Region to forward DNS queries to your network from multiple VPCs even if the VPCs were created using different AWS accounts.

Choosing protocols for the endpoints

Endpoint protocols determine how data is transmitted to an inbound endpoint and from an outbound endpoint. Encrypting DNS queries for VPC traffic is not needed because every packet flow on the network is individually authorized against a rule to validate the correct source and destination before it is transmitted and delivered. It is highly improbable for information to arbitrarily pass between entities without specifically being authorized by both the transmitting and receiving entity. If a packet is being routed to a destination without a rule that matches it, the packet is dropped. For more information, see VPC features.

The available protocols are:

  • Do53: DNS over port 53. The data is relayed by using the Route 53 Resolver without additional encryption. While the data cannot be read by external parties, it can be viewed within the AWS networks. Uses either UDP or TCP to send the packets. Do53 is primarily used for traffic within and between Amazon VPCs.

  • DoH: The data is transmitted over an encrypted HTTPS session. DoH adds an added level of security where data can't be decrypted by unauthorized users, and cannot be read by anyone except the intended recipient.

  • DoH-FIPS: The data is transmitted over an encrypted HTTPS session that is compliant with the FIPS 140-2 cryptographic standard. Supported for inbound endpoints only. For more information, see FIPS PUB 140-2.

For an inbound endpoint you can apply the protocols as follows:

  • Do53 and DoH in combination.

  • Do53 and DoH-FIPS in combination.

  • Do53 alone.

  • DoH alone.

  • DoH-FIPS alone.

  • None, which is treated as Do53.

For an outbound endpoint you can apply the protocols as follows:

  • Do53 and DoH in combination.

  • Do53 alone.

  • DoH alone.

  • None, which is treated as Do53.

See also Values that you specify when you create or edit inbound endpoints and Values that you specify when you create or edit outbound endpoints.

Using Resolver in VPCs that are configured for dedicated instance tenancy

When you create a Resolver endpoint, you can't specify a VPC that has the instance tenancy attribute set to dedicated. Resolver doesn't run on single-tenant hardware.

You can still use Resolver to resolve DNS queries that originate in a VPC. Create at least one VPC that has the instance tenancy attribute set to default, and specify that VPC when you create inbound and outbound endpoints.

When you create a forwarding rule, you can associate it with any VPC, regardless of the setting for the instance tenancy attribute.